Have you ever considered what would happen to your laptop if you were to lose it? Would it be on Ebay the next day? Would the data be scraped off and show up on some MySpace Web site within the week? Would the data that you store on it be used in a hostile take over of your company? Certainly all of these scenarios should be considered.
Is There Any Risk?
With over 600,000 laptops stolen every year, the possibility of not having your laptop tomorrow is pretty good. According to Gartner, the chances of your laptop being stolen this year is 1 in 10. That is a 10% chance that your laptop will be stolen. What about losing it or misplacing it? That surely takes your chances up to about 20% or so.
Here is a real life story for you. Last month I was getting off the plane in Las Vegas where I was attending a conference with a good friend of mine. My good friend, MD I will call him, is a successful businessman, high ranking Army officer, and all around good guy. When I landed, we spoke about how he had spent the last 12 hours trying to track down his laptop, after he had left it in a rental car for only 20 minutes. The rental car was snagged by an unknowing renter with MD's laptop tucked away in the back seat. As I spoke with MD about his mishap, I inquired about his obvious efforts to protect his laptop, data, and information before he errantly left it in the rental car. His answer was similar to most that lose a laptop, "I did not have time, nor did I think it would happen to me!" As he called the rental car agency for the next four days trying to locate his laptop, I educated him on some basic steps that could be performed to protect his "next" laptop.
The first and obvious protection of your laptop is to always protect it physically. In MD's case, he committed the sin himself by leaving the laptop behind as he selected another rental car. The initial advice that I gave to him was to ALWAYS keep his laptop bag in the same spot when he traveled. This means for me:
- keeping it in the front seat in my rental car
- carrying it in the cab with me, not in the trunk
- leaving it in the walkway in my hotel room, so I need to walk around it to leave the room
- storing my laptop bag directly above my seat in the overhead bin on an airplane
I then continued to describe the physical restraining devices that were available on the market. Some devices are simple locks with cables, so the laptop can be strapped down to a desk or table. These are excellent for home and hotel use. If you need to go one step further, you can also get an alarm attached to these devices, so if the laptop is moved, the cable cut, etc., the alarm will sound. This will hopefully deter the thief and keep your laptop intact instead of getting the highest bid on Ebay.
MD was very concerned and curious about the "new owner" accessing his computer by logging in with a user account. I informed MD that this was not only possible, but rather easy. I went on to mention that there were many options for the new owner, but some protection could be implemented.
The access is easy, since the new owner could install another operating system alongside the existing one, then delete the SAM file from the original installation. With the SAM file now deleted, the new owner could boot up to the original installation and logon with the Administrator account having a blank password.
I then went on to explain that Windows Vista had a new feature to protect against this, called BitLocker. BitLocker is an encryption of the entire system, so the new operating system installation could not see the old installation files.
I then went on to explain that with older Windows operating systems, the new owner could also take the original SAM file and run it through a tool like L0phtcrack. With enough time and computing power, all of the passwords for the local user accounts could be obtained. However, newer operating systems by Microsoft had SYSKEY enabled, which helped protect against this attack, as shown in Figure 1.
Figure 1: SYSKEY is enabled on newer Windows operating systems by default
Protect the Data
MD then asked about the data that was stored on the laptop, in essence very concerned that the data could be read by the new owner. With confidential company files and classified military files, MD's concerns were valid. I had to tell it to him straight, after he said he had not done anything to protect the files before he lost the laptop. He did ask the right question, which was how could he protect his files on the next laptop.
I first explained that he could start by having a BIOS password. Not an end all to security, but it is at least one step in the right direction to protecting the laptop from a user accessing the operating system. There are methods around this, but it is a good start.
Second, I explained the difference between NTFS and FAT file systems. With NTFS, all data has a list of users that can access the files, as shown in Figure 2.
Figure 2: NTFS has an access control list (ACL) associated with every file
Again, not a foolproof security practice for a lost laptop, but certainly another road block for the new owner trying to access files that have been protected by a list of users that should be able to access the files. FAT provides no permissions and should never be used due to the lack of security.
Third, there is always encryption using Encrypting File System (EFS). EFS was first introduced in Windows 2000 and is a method of encrypting data as it sits on the hard drive. This method of protection associates a private and public key pair with the data, so if the private key is not available, users can't access the data. There are methods around this protection, but they are not easy to apply.
Fourth, I spoke of another level of encryption, which was to use a third party solution, possibly one that combined a USB thumb drive to the encryption for storage of the private key. This encryption is much better than the built in encryption, due to the fact that the USB key is necessary to access the data, not just knowing the correct username and password like the built in EFS option.
Finally, I had to mention that all data needed to be backed up just in case the laptop data were to be corrupted, lost, deleted, etc. Not really a security issue, but an issue of data integrity. I can't talk about data to someone without mentioning backing up the data for some reason. It is in my blood!
As I summarized the laptop security plan to MD, he could see that the risk of losing his data and laptop forever was real. He could clearly see that the physical protection of the laptop was essential, most likely the most important aspect as he spent the 4 days trying to trace it down. His concerns regarding the new owner accessing the computer and data were also valid, since he did not take any precautions to protect the operating system or data. There are options, which he is now armed with the knowledge of how to implement them. As I finished up my multiple day discussion of laptop protection, he got a call from the rental car company with great news... the new owner had not even seen the laptop in the back of the car until he returned the car and the laptop was safe and sound.